Approach to implementation


Last reviewed
Approach to implementation 
e.g amendments to existing law, total repeal of old laws
Austria  05.06.2018 Overall, the Austrian legislator used just a few opening clauses of the GDPR in a very moderate way highlighting a minimalistic approach to safeguard full harmonization. However, the ADPA nevertheless provides for some specific local provisions.

Further, special data protection provisions will follow in other Austrian laws since the ADPA is limited to the general provisions. Thus, we will learn in the future whether the Austrian legislator keeps up with its restraint or if stricter local rules will come through the backdoor of specific laws. 
Belgium 08.10.2018

The Belgian Privacy Act fully repeals the Privacy Act of 8 December 1992, which had already been partly repealed by the Act of 3 December 2017 on the creation of the Data Protection Authority. It also implements Directive 2016/680 on data protection in the police and criminal justice sectors, which takes up the majority of the Act's 286 articles.

Czech Republic 13.09.2018 Current DPA No. 101/2000 Coll. to be repealed by the new DPA. Multiple existing laws (e.g. Civil Procedure Code, Criminal Procedure Code) to be amended by an Amending Act. The new DPA shall also transpose the Law Enforcement Directive.
Denmark 06.09.2018 Replaced the former Act on Processing of Personal Data with a new Data Protection Act on 25 May 2018.
Finland 17.05.2018 The new Data Protection Act will abrogate the current Personal Data Act. It is still unclear how the GDPR will affect several hundred laws that currently include specific rules on data protection.
France 22.05.2018 This bill modifies the current act N°78-17 of 6 January 1978 on information technology, data files and civil liberties. 
Germany 23.05.2018 Almost all opening clauses are used. GDPR-regulated areas are combined with out-of-scope-areas such as law enforcement and national security.
Hungary  17.05.2018 According to the published draft bill the InfoAct is going to remain in force but its scope will be limited to data processing activities which are not within the scope of the GDPR. As far activities covered by the GDPR are concerned, only certain provisions of the InfoAct will be applicable. These provisions will be listed in Article 2 of the InfoAct (in its amended form).
Update (04 December 2017): it seems that the Ministry of Justice has recognized that the structure of the first draft was hard to interpret, and that the new InfoAct should be more 'user friendly'. 
Update (16 May 2018): There is no news on the approach of the Ministry of Justice regarding the amendments of the InfoAct.
Ireland  07.06.2018  The Data Protection Act 2018 (the “Act”) covers both the GDPR and the Law Enforcement Directive.

The Data Protection Acts 1988 and 2003 (the “1988 and 2003 Acts”) are largely superseded. Under section 8 of the Act, the 1988 and 2003 Acts will continue to apply to (a) the processing of personal data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State, and (b) the processing of personal data under certain forensic evidence and vehicle registration legislation.

The Act provides for certain exemptions from the data subject rights and related obligations provided for under the GDPR. Further exemptions may be specified by secondary legislation.
Where the Act provides that processing of personal data in certain contexts must be subject to “suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects”, section 36(1) of the Act provides a non-exhaustive list of such measures. Secondary legislation may be enacted for the purpose of (a) identifying additional suitable and specific measures which may be taken, or (b) specifying that measures referred to in section 36(1) of the Act are mandatory. 
Italy 17.05.2018 The Scheme will amend the IDPA provisions in conflict with GDPR.
Netherlands 17.09.2018 GDPR Execution Act ("UAVG") is to repeal the current Dutch Data Protection Act ("Wbp"). On 9-12-2016 the Dutch Ministry of Security & Justice (in charge of privacy and data protection matters) issued the GDPR Execution Act (Uitvoeringswet Algemene Verordening Gegegevensbescherming). Purpose of this Execution Act is to effectuate the GDPR and repeal the current Dutch Data Protection Act (Wet bescherming persoonsgegevens).
Poland 07.09.2018 The old Data Protection Law has been repealed and replaced by PDPA. The Inspector General for Personal Data Protection (GIODO) has been replaced by the President of the Personal Data Protection (PUODO). The ASA will introduce amendments to the existing sectoral acts.
Slovakia 13.09.2018   The New DPA has fully repealed the previous Act no. 122/2013 Coll. on Personal Data Protection.
Spain 07.09.2018 Organic Law 15/1999 will be repealed and replaced by the future Data Protection Act.
Sweden 06.09.2018 The Personal Data Act (1998:204) was repealed and replaced by the Data Protection Act (2018:218).
UK 23.05.2018

Repeals Data Protection Act 1998

Further Statutory Instruments are anticipated 

In addition to implementing GDPR related provisions, the Act contains additional provisions to:

  • address the gaps left by repeal of 1998 Act and to apply a broadly equivalent regime to certain types of processing which GDPR does not cover;
  • implement the Law Enforcement Directive; and 
  • cover processing  of personal data by intelligence services.